•Re: Re: Re: How to identify invalid reg. expr.?

At my insistence on the P5P mailing list, the inline-execute feature was restricted to prevent this. From perldoc perlre:

                For reasons of security, this construct is for-
                 bidden if the regular expression involves run-
                 time interpolation of variables, unless the per-
                 ilous "use re 'eval'" pragma has been used (see
                 the re manpage), or the variables contain
                 results of "qr//" operator (see the
                 qr/STRING/imosx entry in the perlop manpage).

                 This restriction is because of the wide-spread
                 and remarkably convenient custom of using run-
                 time determined strings as patterns.  For exam-
                 ple:

                     $re = <>;
                     chomp $re;
                     $string =~ /$re/;

                 Before Perl knew how to execute interpolated
                 code within a pattern, this operation was com-
                 pletely safe from a security point of view,
                 although it could raise an exception from an
                 illegal pattern.  If you turn on the "use re
                 'eval'", though, it is no longer secure, so you
                 should only do so if you are also using taint
                 checking.  Better yet, use the carefully con-
                 strained evaluation within a Safe module.  See
                 the perlsec manpage for details about both these
                 mechanisms.
[download]

I forced the issue when Ilya was initially hesitant by saying that I would have a CERT warning prepared against Perl 5.6.0 if this feature went in without the restriction, as it would open up holes worldwide to many naive sites.

-- Randal L. Schwartz, Perl hacker

Comment on •Re: Re: Re: How to identify invalid reg. expr.? Download Code

Replies are listed 'Best First'.
Re: ?Re: Re: Re: How to identify invalid reg. expr.? by mephit (Scribe) on Jun 05, 2002 at 20:50 UTC
Here we go: Just to verify, I just changed it to `eval { use re 'eval'; no warnings; "" =~ /$searchstring/ };` [download] Run from the browser, it generates an internal server error (the log complains of premature end of script headers, regardless of how the script is run.) but no coredump. When run from the command line, the script is aborted and does dump core. Umm, yay. (Maybe the lack of core dump is due to apache? I'll look into it.) So, I'll consider removing the regex search completely, or building one from pieces as samtregar mentioned in a previous post. (I already have AND and ANY searches, though. We'll see what I can come up with.) Thanks for the tips, folks. -- There are 10 kinds of people -- those that understand binary, and those that don't.	[reply] [d/l]
•Re: Re: ?Re: Re: Re: How to identify invalid reg. expr.? by merlyn (Sage) on Jun 05, 2002 at 20:59 UTC
No, that's backwards. If you're building CGI, you do not want to `use re eval`. The default is the safety that I insisted they add. Just use this: `my $regex = param('foo'); $regex = eval { qr/$regex/ }; if ($@) { "it was bad... handle it" }` [download] Then use `$regex` later, safely, as a compiled regex. In fact, wait, it's simpler than that: `my $regex = param('foo'); $regex = eval { qr/$regex/ } or do { # handle failure };` [download] since `eval` will return `undef` on a failed block, or the compiled `Regex` object (always true) if it's a valid regex. -- Randal L. Schwartz, Perl hacker	[reply] [d/l] [select]
Re: •Re: Re: Re: How to identify invalid reg. expr.? by samtregar (Abbot) on Jun 05, 2002 at 20:14 UTC
That solves the worst problem, certainly, but what about a denial-of-service attack? It's not hard to craft a regex that won't be solved before the heat death of universe. Or one that crashes Perl through stack exhaustion. -sam	[reply]